在 Azure 逻辑应用中使用托管标识验证对 Azure 资源的访问Authenticate access to Azure resources by using managed identities in Azure Logic Apps

若要在不登录的情况下访问其他 Azure Active Directory (Azure AD) 租户中的资源并对标识进行身份验证,逻辑应用可以使用托管标识(前称为“托管服务标识”,或缩写为 MSI),而不使用凭据或机密。To access resources in other Azure Active Directory (Azure AD) tenants and authenticate your identity without signing in, your logic app can use a managed identity (formerly Managed Service Identity or MSI), rather than credentials or secrets. 由于无需提供或轮换机密,因此 Azure 会为你管理此标识,并且会帮助保护凭据。Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets.

Azure 逻辑应用支持这两种系统分配的托管标识。 Azure Logic Apps supports both system-assigned managed identities. 逻辑应用可以使用系统分配的标识(可以在整个逻辑应用组中共享该标识),但不能同时使用这两种标识。Your logic app can use the system-assigned identity, which you can share across a group of logic apps, but not both. 目前,只有特定的内置触发器和操作支持托管标识,托管的连接器或连接则不支持托管标识,例如:Currently, only specific built-in triggers and actions support managed identities, not managed connectors or connections, for example:

  • HTTPHTTP
  • Azure FunctionsAzure Functions
  • Azure API 管理Azure API Management
  • Azure 应用服务Azure App Services

本文介绍如何为逻辑应用设置这两种类型的托管标识。This article shows how to set up both kinds of managed identities for your logic app. 有关详细信息,请参阅以下主题:For more information, see these topics:

先决条件Prerequisites

  • Azure 订阅。An Azure subscription. 如果没有订阅,可以注册 Azure 试用帐户If you don't have a subscription, sign up for a trial Azure account. 托管标识和需要访问的目标 Azure 资源必须使用相同的 Azure 订阅。Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.

  • 若要为托管标识授予对 Azure 资源的访问权限,需要为该标识添加对目标资源的角色。To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. 若要添加角色,需要拥有 Azure AD 管理员权限,这些权限可将角色分配到相应 Azure AD 租户中的标识。To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

  • 要访问的目标 Azure 资源。The target Azure resource that you want to access. 在此资源中,为托管标识添加一个角色,以帮助逻辑应用验证对目标资源的访问。On this resource, you'll add a role for the managed identity, which helps the logic app authenticate access to the target resource.

  • 要在其中使用支持托管标识的触发器或操作的逻辑应用The logic app where you want to use the trigger or actions that support managed identities

启用托管标识Enable managed identity

若要设置想要使用的托管标识,请单击该标识对应的链接:To set up the managed identity that you want to use, follow the link for that identity:

启用系统分配的标识Enable system-assigned identity

若要为逻辑应用设置系统分配的标识,可使用以下选项:To set up the system-assigned identity for your logic app, here are the options that you can use:

在 Azure 门户中启用系统分配的标识Enable system-assigned identity in Azure portal

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in Logic App Designer.

  2. 在逻辑应用菜单的“设置”下,选择“标识” 。On the logic app menu, under Settings, select Identity. 选择“系统分配” > “打开” > “保存”。 Select System assigned > On > Save. 当 Azure 提示确认时,请选择“是”。 When Azure prompts you to confirm, select Yes.

    启用系统分配的标识

    现在,逻辑应用可以使用已注册到 Azure Active Directory 并由对象 ID 表示的系统分配的标识。Your logic app can now use the system-assigned identity, which is registered with Azure Active Directory and is represented by an object ID.

    系统分配的标识的对象 ID

    属性Property ValueValue 说明Description
    对象 IDObject ID <identity-resource-ID><identity-resource-ID> 全局唯一标识符 (GUID),表示 Azure AD 租户中逻辑应用的系统分配的标识A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in an Azure AD tenant
  3. 现在,请执行本主题稍后所述的为该标识授予对资源的访问权限的步骤Now follow the steps that give that identity access to the resource later in this topic.

在 Azure 资源管理器模板中启用系统分配的标识Enable system-assigned identity in Azure Resource Manager template

若要自动创建和部署 Azure 资源(如逻辑应用),可以使用 Azure 资源管理器模板To automate creating and deploying Azure resources such as logic apps, you can use Azure Resource Manager templates. 若要在模板中为逻辑应用启用系统分配的托管标识,请在模板中将 identity 对象和 type 子属性添加到逻辑应用的资源定义,例如:To enable the system-assigned managed identity for your logic app in the template, add the identity object and the type child property to the logic app's resource definition in the template, for example:

{
   "apiVersion": "2016-06-01",
   "type": "Microsoft.logic/workflows",
   "name": "[variables('logicappName')]",
   "location": "[resourceGroup().location]",
   "identity": {
      "type": "SystemAssigned"
   },
   "properties": {
      "definition": {
         "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
         "actions": {},
         "parameters": {},
         "triggers": {},
         "contentVersion": "1.0.0.0",
         "outputs": {}
   },
   "parameters": {},
   "dependsOn": []
}

当 Azure 创建逻辑应用资源定义时,identity 对象将获取以下附加属性:When Azure creates your logic app resource definition, the identity object gets these additional properties:

"identity": {
   "type": "SystemAssigned",
   "principalId": "<principal-ID>",
   "tenantId": "<Azure-AD-tenant-ID>"
}
属性 (JSON)Property (JSON) ValueValue 说明Description
principalId <principal-ID><principal-ID> 托管标识的服务主体对象的全局唯一标识符 (GUID),表示 Azure AD 租户中的逻辑应用。The Globally Unique Identifier (GUID) of the service principal object for the managed identity that represents your logic app in the Azure AD tenant. 此 GUID 有时显示为“对象 ID”或 objectIDThis GUID sometimes appears as an "object ID" or objectID.
tenantId <Azure-AD-tenant-ID><Azure-AD-tenant-ID> 全局唯一标识符 (GUID),表示逻辑应用为其中成员的 Azure AD 租户。The Globally Unique Identifier (GUID) that represents the Azure AD tenant where the logic app is now a member. 在 Azure AD 租户内,服务主体与逻辑应用实例具有相同名称。Inside the Azure AD tenant, the service principal has the same name as the logic app instance.

为标识授予对资源的访问权限Give identity access to resources

使用逻辑应用的托管标识进行身份验证之前,请在你打算在其中使用该标识的 Azure 资源中为该标识设置访问权限。Before you can use your logic app's managed identity for authentication, set up access for that identity on the Azure resource where you plan to use the identity. 若要完成此任务,请在目标 Azure 资源中向该标识分配适当的角色。To complete this task, assign the appropriate role to that identity on the target Azure resource. 下面是可以使用的选项:Here are the options that you can use:

在 Azure 门户中分配访问权限Assign access in the Azure portal

  1. Azure 门户中,转到你希望托管标识在其中拥有访问权限的 Azure 资源。In the Azure portal, go to the Azure resource where you want your managed identity to have access.

  2. 在资源的菜单中,选择“访问控制(IAM)” > “角色分配”,在其中可以查看该资源的当前角色分配。 From the resource's menu, select Access control (IAM) > Role assignments where you can review the current role assignments for that resource. 在工具栏上,选择“添加” > “添加角色分配”。 On the toolbar, select Add > Add role assignment.

    选择“添加”>“添加角色分配”

    提示

    如果“添加角色分配”选项已禁用,则很可能是你没有权限。 If the Add role assignment option is disabled, you most likely don't have permissions. 有关可用于管理资源角色的权限的详细信息,请参阅 Azure Active Directory 中的管理员角色权限For more information about the permissions that let you manage roles for resources, see Administrator role permissions in Azure Active Directory.

  3. 在“添加角色分配”下,选择一个可为标识授予对目标资源的必要访问权限的角色。 Under Add role assignment, select a Role that gives your identity the necessary access to the target resource.

    在本主题的示例中,标识需要一个可以访问 Azure 存储容器中的 Blob 的角色For this topic's example, your identity needs a role that can access the blob in an Azure Storage container.

    选择“存储 Blob 数据参与者”角色

  4. 针对托管标识执行以下步骤:Follow these steps for your managed identity:

    • 系统分配的标识System-assigned identity

      1. 在“将访问权限分配到”框中,选择“逻辑应用”。 In the Assign access to box, select Logic App. 显示“订阅”属性后,请选择与标识关联的 Azure 订阅。 When the Subscription property appears, select the Azure subscription that's associated with your identity.

        为系统分配的标识选择访问权限

      2. 在“选择”框下,从列表中选择你的逻辑应用。 Under the Select box, select your logic app from the list. 如果列表太长,请使用“选择”框筛选列表。 If the list is too long, use the Select box to filter the list.

        为系统分配的标识选择逻辑应用

  5. 完成后,选择“保存” 。When you're done, select Save.

    目标资源的角色分配列表现在会显示所选的托管标识和角色。The target resource's role assignments list now shows the selected managed identity and role. 此示例演示如何对一个逻辑应用使用系统分配的标识。This example shows how you can use the system-assigned identity for one logic app.

    已将托管标识和角色添加到目标资源

    有关详细信息,请参阅使用 Azure 门户为托管标识分配对资源的访问权限For more information, Assign a managed identity access to a resource by using the Azure portal.

  6. 现在,请执行在支持托管标识的触发器或操作中使用标识对访问进行身份验证的步骤Now follow the steps to authenticate access with the identity in a trigger or action that supports managed identities.

使用托管标识对访问进行身份验证Authenticate access with managed identity

为逻辑应用启用托管标识为该标识授予对目标资源或实体的访问权限后,可以在支持托管标识的触发器和操作中使用该标识。After you enable the managed identity for your logic app and give that identity access to the target resource or entity, you can use that identity in triggers and actions that support managed identities.

重要

如果要在某个 Azure 函数中使用系统分配的标识,请先为 Azure 函数启用身份验证If you have an Azure function where you want to use the system-assigned identity, first enable authentication for Azure functions.

这些步骤说明如何通过 Azure 门户对触发器或操作使用托管标识。These steps show how to use the managed identity with a trigger or action through the Azure portal. 若要在触发器或操作的基础 JSON 定义中指定托管标识,请参阅托管标识身份验证To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in the Logic App Designer.

  2. 添加支持托管标识的触发器或操作(如果尚未这样做)。If you haven't done so yet, add the trigger or action that supports managed identities.

    例如,HTTP 触发器或操作可以使用你为逻辑应用启用的系统分配的标识。For example, the HTTP trigger or action can use the system-assigned identity that you enabled for your logic app. 一般情况下,HTTP 触发器或操作将使用以下属性来指定要访问的资源或实体:In general, the HTTP trigger or action uses these properties to specify the resource or entity that you want to access:

    属性Property 必须Required 说明Description
    方法Method Yes 要运行的操作使用的 HTTP 方法The HTTP method that's used by the operation that you want to run
    URIURI Yes 用于访问目标 Azure 资源或实体的终结点 URL。The endpoint URL for accessing the target Azure resource or entity. URI 语法通常包含 Azure 资源或服务的资源 IDThe URI syntax usually includes the resource ID for the Azure resource or service.
    标头Headers No 需要或者想要包含在传出请求中的任何标头值,例如内容类型Any header values that you need or want to include in the outgoing request, such as the content type
    查询Queries No 需要或者想要包含在请求中的任何查询参数,例如特定操作的参数,或要运行的操作的 API 版本Any query parameters that you need or want to include in the request, such as the parameter for a specific operation or the API version for the operation that you want to run
    身份验证Authentication Yes 用于验证对目标资源或实体的访问的身份验证类型The authentication type to use for authenticating access to the target resource or entity

    举个具体的例子,假设你要针对 Azure 存储帐户中的某个 Blob 运行快照 Blob 操作,并且你已事先为自己的标识设置了访问权限。As a specific example, suppose that you want to run the Snapshot Blob operation on a blob in the Azure Storage account where you previously set up access for your identity. 但是,Azure Blob 存储连接器目前不提供此操作。However, the Azure Blob Storage connector doesn't currently offer this operation. 可以改用 HTTP 操作或另一个 Blob 服务 REST API 操作来运行此操作。Instead, you can run this operation by using the HTTP action or another Blob Service REST API operation.

    重要

    若要使用 HTTP 请求和托管标识访问防火墙后面的 Azure 存储帐户,请确保同时在存储帐户中设置允许受信任 Azure 服务进行访问的例外项To access Azure storage accounts behind firewalls by using HTTP requests and managed identities, make sure that you also set up your storage account with the exception that allows access by trusted Azure services.

    若要运行快照 Blob 操作,HTTP 操作将指定以下属性:To run the Snapshot Blob operation, the HTTP action specifies these properties:

    属性Property 必须Required 示例值Example value 说明Description
    方法Method Yes PUT 快照 Blob 操作使用的 HTTP 方法The HTTP method that the Snapshot Blob operation uses
    URIURI Yes https://{storage-account-name}.blob.core.chinacloudapi.cn/{blob-container-name}/{folder-name-if-any}/{blob-file-name-with-extension} Azure 全球云(公有云)环境中的 Azure Blob 存储文件的资源 ID,使用此语法The resource ID for an Azure Blob Storage file in the Azure Global (public) environment, which uses this syntax
    标头Headers 对于 Azure 存储为“是”Yes, for Azure Storage x-ms-blob-type = BlockBlob

    x-ms-version = 2019-02-02

    x-ms-blob-typex-ms-version 标头值对于Azure 存储操作是必需的。The x-ms-blob-type and x-ms-version header values that are required for Azure Storage operations.

    重要说明:在 Azure 存储的传出 HTTP 触发器和操作请求中,标头需要 x-ms-version 属性,以及所要运行的操作的 API 版本。Important: In outgoing HTTP trigger and action requests for Azure Storage, the header requires the x-ms-version property and the API version for the operation that you want to run.

    有关详细信息,请参阅以下主题:For more information, see these topics:

    - 请求标头 - 快照 Blob- Request headers - Snapshot Blob
    - Azure 存储服务的版本控制- Versioning for Azure Storage services

    查询Queries 对于此操作为“是”Yes, for this operation comp = snapshot 快照 Blob 操作的查询参数名称和值。The query parameter name and value for the Snapshot Blob operation.

    下面是显示了所有这些属性值的示例 HTTP 操作:Here is the example HTTP action that shows all these property values:

    添加用于访问 Azure 资源的 HTTP 操作

  3. 现在,请将“身份验证”属性添加到 HTTP 操作。 Now add the Authentication property to the HTTP action. 在“添加新参数”列表中,选择“身份验证”。 From the Add new parameter list, select Authentication.

    将“身份验证”属性添加到 HTTP 操作

    备注

    并非所有触发器和操作都支持添加身份验证类型。Not all triggers and actions support letting you add an authentication type. 有关详细信息,请参阅针对出站调用添加身份验证For more information, see Add authentication to outbound calls.

  4. 在“身份验证类型”列表中,选择“托管标识”。 From the Authentication type list, select Managed Identity.

    对于“身份验证”,请选择“托管标识”

  5. 在托管标识列表中,根据方案从可用选项中进行选择。From the managed identity list, select from the available options based on your scenario.

    • 如果设置了系统分配的标识,请选择“系统分配的托管标识”(如果尚未选择)。 If you set up the system-assigned identity, select System Assigned Managed Identity if not already selected.

      选择“系统分配的托管标识”

    此示例将继续使用“系统分配的托管标识”。 This example continues with the System Assigned Managed Identity.

  6. 在某些触发器和操作中,还会显示“受众”属性用于设置目标资源 ID。 On some triggers and actions, the Audience property also appears for you to set the target resource ID. 将“受众”属性设置为目标资源或服务的资源 IDSet the Audience property to the resource ID for the target resource or service. 否则,“受众”属性默认使用 https://management.chinacloudapi.cn/ 资源 ID,即 Azure 资源管理器的资源 ID。 Otherwise, by default, the Audience property uses the https://management.chinacloudapi.cn/ resource ID, which is the resource ID for Azure Resource Manager.

    重要

    请确保该目标资源 ID 与 Azure Active Directory (AD) 所需的值完全匹配,包括所有必要的尾部斜杠。 Make sure that the target resource ID exactly matches the value that Azure Active Directory (AD) expects, including any required trailing slashes. 例如,所有 Azure Blob 存储帐户的资源 ID 都需要尾部斜杠。For example, the resource ID for all Azure Blob Storage accounts requires a trailing slash. 但是,特定存储帐户的资源 ID 不需要尾部斜杠。However, the resource ID for a specific storage account doesn't require a trailing slash. 请查看支持 Azure AD 的 Azure 服务的资源 IDCheck the resource IDs for the Azure services that support Azure AD.

    此示例将“受众”属性设置为 https://storage.azure.com/,使得用于身份验证的访问令牌对所有存储帐户均有效。 This example sets the Audience property to https://storage.azure.com/ so that the access tokens used for authentication are valid for all storage accounts. 但是,也可以指定特定存储帐户的根服务 URL https://fabrikamstorageaccount.blob.core.chinacloudapi.cnHowever, you can also specify the root service URL, https://fabrikamstorageaccount.blob.core.chinacloudapi.cn, for a specific storage account.

    将“受众”属性设置为目标资源 ID

    有关使用 Azure AD 授权访问 Azure 存储的详细信息,请参阅以下主题:For more information about authorizing access with Azure AD for Azure Storage, see these topics:

  7. 继续按照所需方式生成逻辑应用。Continue building the logic app the way that you want.

禁用托管标识Disable managed identity

若要停止对逻辑应用使用托管标识,可使用以下选项:To stop using a managed identity for your logic app, you have these options:

如果删除逻辑应用,Azure 将从 Azure AD 中自动删除托管标识。If you delete your logic app, Azure automatically removes the managed identity from Azure AD.

在 Azure 门户中禁用托管标识Disable managed identity in the Azure portal

在 Azure 门户中,首先删除该标识对目标资源的访问权限。In the Azure portal, first remove the identity's access to your target resource. 接下来,禁用系统分配的标识。Next, turn off the system-assigned identity.

从资源中删除标识访问权限Remove identity access from resources

  1. Azure 门户中,转到你要在其中删除托管标识访问权限的目标 Azure 资源。In the Azure portal, go to the target Azure resource where you want to remove access for the managed identity.

  2. 在目标资源的菜单中,选择“访问控制(IAM)”。 From the target resource's menu, select Access control (IAM). 在工具栏下,选择“角色分配”。 Under the toolbar, select Role assignments.

  3. 在角色列表中,选择要删除的托管标识。In the roles list, select the managed identities that you want to remove. 在工具栏上,选择“删除”。 On the toolbar, select Remove.

    提示

    如果“删除”选项已禁用,则很可能是你没有权限。 If the Remove option is disabled, you most likely don't have permissions. 有关可用于管理资源角色的权限的详细信息,请参阅 Azure Active Directory 中的管理员角色权限For more information about the permissions that let you manage roles for resources, see Administrator role permissions in Azure Active Directory.

现已删除该托管标识,它不再有权访问目标资源。The managed identity is now removed and no longer has access to the target resource.

在逻辑应用中禁用托管标识Disable managed identity on logic app

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in Logic App Designer.

  2. 在逻辑应用菜单中的“设置”下选择“标识”,然后针对标识执行以下步骤: On the logic app menu, under Settings, select Identity, and then follow the steps for your identity:

    • 选择“系统分配” > “打开” > “保存”。 Select System assigned > On > Save. 当 Azure 提示确认时,请选择“是”。 When Azure prompts you to confirm, select Yes.

      禁用系统分配的标识

现已在逻辑应用中禁用托管标识。The managed identity is now disabled on your logic app.

在 Azure 资源管理器模板中禁用托管标识Disable managed identity in Azure Resource Manager template

如果使用 Azure 资源管理器模板创建了逻辑应用的托管标识,请将 identity 对象的 type 子属性设置为 NoneIf you created the logic app's managed identity by using an Azure Resource Manager template, set the identity object's type child property to None. 对于系统托管的标识,此操作还会从 Azure AD 中删除主体 ID。For the system-managed identity, this action also deletes the principal ID from Azure AD.

"identity": {
   "type": "None"
}

后续步骤Next steps